1. Field of Invention
This invention relates to an apparatus and method for electronic generation and verification of dynamic code, or dynamic password, or also known as one-time-password (OTP) [1], that minimizes the costs related to deployment and client-server synchronization, and protect online authentication credentials or online transactions over the wired or wireless networks, such as internet.
2. Description of Prior Art
With the increased usage of internet, new websites are coming online constantly. Increased access to the websites inevitably accompanied with increased opening of number of online accounts. For those websites that only allow selected and privileged access, such as websites related to banking, financial services, ecommerce, subscriptions, etc., protection of these privileged online accounts access has often been through account userID (or, username) and password that the selected privileged account users have set-up when opening the account. Account access using login credentials, such as userID and password, are still the norm today, even though it's widely acknowledged that the static userID and password are not secure enough in today's elevated threat environment, wired or wireless. The static passwords are subject to phishing and replay attack. The concerns over the security and authentication for account identity and access management have pushed the advancement in deployment of one-time-password (OTP).
OTP, namely one-time-password [1], or, one-time-pad, can only be used once, renders stealing of the one-time-password (OTP) meaningless. Since an OTP cannot be replayed, once it is created and used, it is expired. Phishing on OTP becomes useless. OTP generation usually involves feeding of a device static secret, which is shared between the client and the corresponding server, dynamic variable(s), and may be other additional parameter(s), into a predefined cryptographic one-way secure hashing algorithm, such as MD5 or SHA-1 or others, to produce an OTP. Which is then used as the (dynamic) password in a secured account login process. The device static secret is pre-installed securely on the client OTP generator and on the server. And the dynamic variable(s), and parameter(s) such as salt(s), can also be pre-installed or calculated on the fly.
OTP has been used for identity and access to high worth network accounts, including high worth bank accounts, financial service accounts, ecommerce accounts, high security corporate accounts, etc. It's not a common form of account access, due to the high cost of its deployment. To start with, synchronization between the client OTP generator and the corresponding server OTP generator, usually through time-based synchronization or counter-based (or, event-based) synchronization, are often required to make the OTP system work. When client and server generators are out-of-sync, which often happen for various reasons, re-synchronization is necessary, and the re-synchronization will incur substantial additional support and maintenance costs.
SecurID by RSA [5] is a patented [2],[3] time-based OTP system, it is one of the early OTP system in general deployment, with its client OTP generator tokens reaching millions of users. Its client-server synchronization is based on the time-clock that is on the client token and on the server. Sync-initialization and re-sync can be carried out in many ways, such as implementing a time-compensation, or time-shift dynamic variable to accommodate the time-clock drifting out-of-sync problem. When the out-of-sync problem cannot be resolved by the time-shift dynamic variable fix automatically, the client generator usually needs to be recalled for repair.
HOTP, HMAC-based one-time-password (HOTP) [4], is a public supported counter-based OTP system. It requires a static secret (the secret key), and a dynamic variable (the counter). It, too, requires initial synchronization and any necessary follow-on re-sync on the counter when it becomes out-of-sync with the server. Continuing synchronization can also be carried out, such as implementing a counter-shift allowance dynamic variable to accommodate the counter out-of-sync problem. When the out-of-sync problem cannot be resolved by the counter-shift allowance fix automatically, the client generator usually needs to be recalled for repair.
There are many more OTP system vendors, such as Aladdin [8], Gemalto [9], etc. But, all the OTP systems offered up-to-date requires the initial synchronization and re-sync when out-of-sync, between the client generator and the server, so that the OTP system can continue to work properly.
To facilitate an OTP system that can be available to the mass general public for any network account access, wired or wireless, it must minimize both the deployment costs, support costs and maintenance costs. An area to minimize the OTP system costs is, obviously, to reduce or eliminate the synchronization costs. At the same time, it must also be able to live up to the security requirement that the account access demands, such as for privileged account. The minimum-cost-OTP system must produce one-time-use password with security strength that prevents replay attack, at least more secure than simply username and password protection, it also should be easy to use and easy and inexpensive to deploy.